package core.security;  
  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import javax.servlet.http.HttpSession;  
  
import org.apache.commons.lang.xwork.StringUtils;  
import org.springframework.security.authentication.AuthenticationServiceException;  
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;  
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.core.Authentication;  
import org.springframework.security.core.AuthenticationException;  
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;  
  
import model.security.UsrUser;  
import dao.security.UsrUserDao;

public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{  
    public static final String VALIDATE_CODE = "validateCode";  
    public static final String USERNAME = "username";  
    public static final String PASSWORD = "password";  
      
    private UsrUserDao userDao;
    private UsrUser user=new UsrUser();
    @Override  
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {  
        if (!request.getMethod().equals("POST")) {  
            //throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());  
            throw new AuthenticationServiceException("请重新登录 ！");  
        }  
        //检测验证码  
       // checkValidateCode(request);  
          
        String username = obtainUsername(request);
        String password = obtainPassword(request);
        
        username=username.trim();
        
        user=userDao.findOne("useraccount", username);

        if(user==null){
        	throw new AuthenticationServiceException("用户名不存在！");
        }else{
        	password=new Md5PasswordEncoder().encodePassword(password, username);
        	if(!user.getUserpassword().equals(password)){
        		throw new AuthenticationServiceException("密码错误！");   
        	}
        }
        
        //创建用户id
        HttpSession session = request.getSession();
        session.setAttribute("thisuserid", user.getUserid());
        
        //UsernamePasswordAuthenticationToken实现 Authentication  
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
          
        // 允许子类设置详细属性  
        setDetails(request, authRequest);  
          
        // 运行UserDetailsService的loadUserByUsername 再次封装Authentication  
        return this.getAuthenticationManager().authenticate(authRequest);  
    }  
      
    protected void checkValidateCode(HttpServletRequest request) {   
        HttpSession session = request.getSession();  
          
        String sessionValidateCode = obtainSessionValidateCode(session);   
        //让上一次的验证码失效  
        session.setAttribute(VALIDATE_CODE, null);  
        String validateCodeParameter = obtainValidateCodeParameter(request);    
        if (StringUtils.isEmpty(validateCodeParameter) || !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {    
            throw new AuthenticationServiceException("验证码错误！");    
        }    
    }  
      
    private String obtainValidateCodeParameter(HttpServletRequest request) {  
        Object obj = request.getParameter(VALIDATE_CODE);  
        return null == obj ? "" : obj.toString();  
    }  
  
    protected String obtainSessionValidateCode(HttpSession session) {  
        Object obj = session.getAttribute(VALIDATE_CODE);  
        return null == obj ? "" : obj.toString();  
    }  
  
    @Override  
    protected String obtainUsername(HttpServletRequest request) {  
        Object obj = request.getParameter(USERNAME);  
        return null == obj ? "" : obj.toString();  
    }  
  
    @Override  
    protected String obtainPassword(HttpServletRequest request) {  
        Object obj = request.getParameter(PASSWORD);  
        return null == obj ? "" : obj.toString();  
    }

    public UsrUserDao getUserDao() {
		return userDao;
	}

	public void setUserDao(UsrUserDao userDao) {
		this.userDao = userDao;
	}  
      
      
}  